Key components of KMS

Customer Master Keys(CMK)

This is the main key type within KMS

  • This key can encrypt data up to 4KB in size
  • It is typically used in relation to your DEKs
  • The CMK can generate, encrypt and decrypt this DEK

There are 2 types of CMKs:

AWS managed CMKs

  • These are used by other AWS services that interact with KMS to encrypt data
  • They can only be used the service that created them within a particular region
  • They are created on the first time you implement encryption using that service

Customer managed CMKs

  • These provide the ability to implement greater flexibility
  • You can perform rotation, governing access, and key policy configuration
  • You are able to enable and disable the key when it is no longer required

AWS services can also be configured to use your own customer CMKs

Any CMKs created within KMS are protected by FIPS 140.2 validated cryptographic modules

Data Encryption Keys(DEK)

Data keys are used to encrypt your data of any size

Key Policies

The key policies allow you to define who can use and access a key in KMS

  • These policies are tied to the CMKs, they are resource-based policies
  • Different key policies can be created for different CMKs
  • These permissions are defined within a key policy JSON document


Grants are another method of controlling access and use of the CMKs held within KMS

  • They allow you to delegate a subset of your own access to a CMK for principals
  • There is less risk of someone altering the access control permissions for that CMK
  • Grants eliminate the possibility of anyone using the permission kms:PutKeyPolicy
Nadtakan Futhoem — Sr. Software Engineer




Founder of & Serverless Cloud developer. Follow me on Twitter

Love podcasts or audiobooks? Learn on the go with our new app.

How to Sweep NFT Floors 🧹

InfoSecSherpa’s News Roundup for Sunday, May 29, 2022

Barbados. Image by PublicDomainPictures from Pixabay. Read about the state of Caribbean cybersecurity in the #10 item from Barbados Today.

Sending ASTA from exchanges to ASTA Wallet

Magic | HTB | OSCP | Box 12

InfoSecSherpa’s News Round Up for Saturday, October 2, 2021

How to Maximize the Success Rate of Data Recovery?

iBoySoft Data Recovery


{UPDATE} Ludo Crystal Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nadtakan Futhoem

Nadtakan Futhoem

Founder of & Serverless Cloud developer. Follow me on Twitter

More from Medium

No BS guide to Enforcing Mandatory Tags for EC2 and EKS

Deploying WordPress into AWS with the help of RDS and EC2-instance.

Benefits of using Cloud — in layman’s terms

AWS Application Migration Service (MGN) Hands-On